fix: fix refChecker when namespace is specified and is the same as route's namespace

[pmalek]

What this PR does / why we need it:

When route has the same namespace specified as the backendref, then it should be allowed without a ReferenceGrant.

Additionally this PR adds Service lookup in backendRefsToKongStateBackends() to verify if the provided namespace exists.

The gist of this change is in internal/dataplane/translator/backendref.go. The rest is just adapting the tests basically.

Which issue this PR fixes:

Fixes: #5388

Special notes for your reviewer:

PR Readiness Checklist:

Complete these before marking the PR as ready to review:

• the CHANGELOG.md release notes have been updated to reflect any significant (and particularly user-facing) changes introduced by this PR

[codecov]

Codecov Report

Attention: 7 lines in your changes are missing coverage. Please review.

Comparison is base (b8b543c) 0.0% compared to head (6215568) 69.5%.
Report is 3 commits behind head on main.

Files	Patch %	Lines
internal/dataplane/translator/backendref.go	83.7%	5 Missing and 2 partials ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##           main   #5392      +/-   ##
=======================================
+ Coverage      0   69.5%   +69.5%     
=======================================
  Files         0     176     +176     
  Lines         0   22525   +22525     
=======================================
+ Hits          0   15673   +15673     
- Misses        0    5924    +5924     
- Partials      0     928     +928     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pmalek]

This needs to be updated to account for failing conformance test:

TestGatewayConformance/HTTPRouteInvalidNonExistentBackendRef/HTTP_Request_to_invalid_nonexistent_backend_receive_a_500 (30.00s)

[randmonkey]

I have checked the failing conformance test: TestGatewayConformance/HTTPRouteInvalidNonExistentBackendRef/HTTP_Request_to_invalid_nonexistent_backend_receive_a_500 . This test case specifies a backendRef with the same namespace of the HTTPRoute.
Before the change, we got 0 available backend services, but after the change we got a backend but with no upstreams. So we got 503 but not the expected 500.
We can see the following message in the output of conformance tests:

  http.go:238: Response expectation failed for request: {URL: {Scheme:http Opaque: User: Host:172.18.128.3 Path:/ RawPath: OmitHost:false ForceQuery:false RawQuery: Fragment: RawFragment:}, Host: , Protocol: HTTP, Method: GET, Headers: map[X-Echo-Set-Header:[]], UnfollowRedirect: false, Server: , CertPem: <truncated>, KeyPem: <truncated>}  not ready yet: expected status code to be 500, got 503 (after 17.04749077s)

[pmalek]

I have checked the failing conformance test: TestGatewayConformance/HTTPRouteInvalidNonExistentBackendRef/HTTP_Request_to_invalid_nonexistent_backend_receive_a_500 . This test case specifies a backendRef with the same namespace of the HTTPRoute. Before the change, we got 0 available backend services, but after the change we got a backend but with no upstreams. So we got 503 but not the expected 500. We can see the following message in the output of conformance tests:

  http.go:238: Response expectation failed for request: {URL: {Scheme:http Opaque: User: Host:172.18.128.3 Path:/ RawPath: OmitHost:false ForceQuery:false RawQuery: Fragment: RawFragment:}, Host: , Protocol: HTTP, Method: GET, Headers: map[X-Echo-Set-Header:[]], UnfollowRedirect: false, Server: , CertPem: <truncated>, KeyPem: <truncated>}  not ready yet: expected status code to be 500, got 503 (after 17.04749077s)

Yes. In order to mitigate that we'd have to pass down a client of sorts (or something that could list namespaces) to either

kubernetes-ingress-controller/internal/dataplane/translator/backendref.go

Lines 13 to 14 in 9b81665

	func backendRefsToKongStateBackends(

or

kubernetes-ingress-controller/internal/dataplane/translator/wrappers_refchecker.go

Line 23 in 9b81665

func (rc refChecker[T]) IsRefAllowedByGrant(

so that we ensure that the namespace pointed by the backendRef exists.

Unless there are other ideas that I haven't thought about 🤔

[programmer04]

It will resolve below, won't it?

• HTTPRoute with backendref to service within same namespace with explicit namespace parameter does not work without ReferenceGrant #5388
• https://github.com/Kong/gateway-operator/issues/497

[pmalek]

Yes it will. It's cross referenced above.